npm package

fuxa-server

pkg:npm/fuxa-server

Vulnerabilities (14)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-25895	—	< 1.2.10	1.2.10	Feb 9, 2026	FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issu
CVE-2026-25894	—	< 1.2.10	1.2.10	Feb 9, 2026	FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when auth
CVE-2026-25893	—	< 1.2.10	1.2.10	Feb 9, 2026	FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the serve
CVE-2026-25951	—	< 1.2.11	1.2.11	Feb 9, 2026	FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences
CVE-2026-25939	—	>= 1.2.8, < 1.2.11	1.2.11	Feb 9, 2026	FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA envir
CVE-2026-25938	—	>= 1.2.8, < 1.2.11	1.2.11	Feb 9, 2026	FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has bee
CVE-2026-25751	—	< 1.2.10	1.2.10	Feb 6, 2026	FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker
CVE-2026-25752	—	< 1.2.10	1.2.10	Feb 6, 2026	FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based ac
CVE-2025-69983	—	<= 1.2.7	—	Feb 3, 2026	FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full s
CVE-2025-69981	—	<= 1.2.7	—	Feb 3, 2026	FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as t
CVE-2025-69970	—	<= 1.2.7	—	Feb 3, 2026	FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sen
CVE-2023-31719	—	<= 1.1.12	—	Sep 21, 2023	FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin.
CVE-2023-31718	—	<= 1.1.12	—	Sep 21, 2023	FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.
CVE-2023-31717	—	<= 1.1.12	—	Sep 21, 2023	A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.

CVE-2026-25895Feb 9, 2026
affected < 1.2.10fixed 1.2.10
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issu
CVE-2026-25894Feb 9, 2026
affected < 1.2.10fixed 1.2.10
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when auth
CVE-2026-25893Feb 9, 2026
affected < 1.2.10fixed 1.2.10
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the serve
CVE-2026-25951Feb 9, 2026
affected < 1.2.11fixed 1.2.11
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences
CVE-2026-25939Feb 9, 2026
affected >= 1.2.8, < 1.2.11fixed 1.2.11
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA envir
CVE-2026-25938Feb 9, 2026
affected >= 1.2.8, < 1.2.11fixed 1.2.11
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has bee
CVE-2026-25751Feb 6, 2026
affected < 1.2.10fixed 1.2.10
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker
CVE-2026-25752Feb 6, 2026
affected < 1.2.10fixed 1.2.10
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based ac
CVE-2025-69983Feb 3, 2026
affected <= 1.2.7
FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full s
CVE-2025-69981Feb 3, 2026
affected <= 1.2.7
FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as t
CVE-2025-69970Feb 3, 2026
affected <= 1.2.7
FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sen
CVE-2023-31719Sep 21, 2023
affected <= 1.1.12
FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin.
CVE-2023-31718Sep 21, 2023
affected <= 1.1.12
FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.
CVE-2023-31717Sep 21, 2023
affected <= 1.1.12
A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.